If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I really cant help with what might have happened, it may well have been RedHat's update that cuased the problem, but very hard to say.

If you system has been on the internet unprotected (ie firewall) for any length of time you may have been hacked, specially if you have broadband access and a static IP ...

You may want to check out chkrootkit that can be obtained from http://www.chkrootkit.org ... this small script will, when run, check you system for common rootkits currently installed and used by crackers.

If you are still in doubt, nebulus200's suggestion of pulling the machine off the internet and rebuilding is a sound suggestion, .... fresh install, update, harden then get it back online.

Originally posted here by Phat_Penguin I really cant help with what might have happened, it may well have been RedHat's update that cuased the problem, but very hard to say.

If you system has been on the internet unprotected (ie firewall) for any length of time you may have been hacked, specially if you have broadband access and a static IP ...

You may want to check out chkrootkit that can be obtained from http://www.chkrootkit.org ... this small script will, when run, check you system for common rootkits currently installed and used by crackers.

If you are still in doubt, nebulus200's suggestion of pulling the machine off the internet and rebuilding is a sound suggestion, .... fresh install, update, harden then get it back online.

Good luck.

i think i will not format first...can look around on what had really happened to my box...anyway i hv nothing important in it...

Firstly every file that was requested either 404ed, (not there), or 403ed, (access denied).
Secondly, and I have no knowledge worth anything about linux but I can tell you that even if you had dirs such as c:\winnt\system32 you wouldn't have anything meaningful in them. The files that were being requested wouldn't run on your box. So even if they were there there would crash your machine at worst if they were executed.
Thirdly, you said the symptoms began at 0715..... then you show your cron starting at...oh...0715.... funny that...<s>
Lastly.... This is a classic attack on IIS.... since you are running Apache.... you are just fine.

Nebulus: You say that the Apache logs are so much better than IIS, (and I don't want to get in a pissing match about "my OS is better than yours"..... ) but would you care to show me what information you were seeing in the Apache logs Penguin posted that I can't find in my IIS logs...... IIS can log in several different ways and at several levels of detail..... The logs Penguin posted are practically identical to the IIS logs I capture on my sites - right down to the order in which the info is logged.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Tiger Shark:
Hmm...maybe it was how the web servers were setup that I had to investigate or maybe it was the version (I think they were 4.0 not 5.0), not sure. It seemed that every IIS server I had to look at (for investigations) was missing very critical information like the HTTP return code and browser version; however, when I logged in and checked the IIS server I have to maintain (wasn't given a choice unfortunately), the log file in fact did contain pretty much the same information, so not sure what happened to those logs that I have looked at in the past...

Point taken.

/nebulus

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

nebulus: np.... I thought you could see something I couldn't....<s> maybe the logging was set up differently on the older boxes but IIS 4 & 5 have had the same basic options for logging - it's just a matter of chosing what you want to see....... And, IMO, you can't log enough stuff..... Well, up until the point where you have used all your storage....

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides